b'February 26, 2010\n\nSTEVEN R. PHELPS\nMANAGER, SOX MANAGEMENT CONTROLS AND INTEGRATION\n\nHAROLD E. STARK\nMANAGER, SOX AND PROCESS IMPROVEMENT\n\nSUBJECT: Audit Report \xe2\x80\x93 Postal Service Sarbanes-Oxley Information Technology\n         Fiscal Year 2009 Preparatory Testing\n         (Report Number FT-AR-10-011)\n\nThis report presents the results of our assessment of the U.S. Postal Service\xe2\x80\x99s testing of\nSarbanes-Oxley (SOX) information technology (IT) controls (Project Number\n09BM001FT003). This self-initiated review addresses financial and strategic risks and\nallows management to enhance the Postal Service\xe2\x80\x99s preparations for compliance with\nthe Sarbanes-Oxley Act of 20021 in fiscal year (FY) 2010. The objective of our review\nwas to determine how the Postal Service could improve its approach to testing key IT\ncontrols in preparation for this compliance. See Appendix A for additional information\nabout this audit.\n\nConclusion\n\nManagement could strengthen its approach to testing key IT controls for compliance\nwith SOX Section 404 provisions. When we conducted our fieldwork, we noted that:\n\n    \xef\x82\xa7    Management had not implemented procedures to facilitate coordination between\n         the Business SOX Program Management Office (Business SOX PMO) and the\n         Information Technology SOX Program Management Office (IT SOX PMO) when\n         one group relies on compensating controls of the other. For example, the IT SOX\n         PMO relied on revenue reconciliation business process controls to mitigate risks\n         for two applications it determined would not be upgraded due to age, distribution,\n         and cost of improving the technology. However, testing has shown that, to date,\n         these controls are not effective. When business controls are not effective and\n         would not compensate for identified IT risks, it is essential the IT SOX PMO and\n\n\n1\n  The U.S. Congress enacted SOX legislation in calendar year 2002 to strengthen public confidence in the accuracy\nand reliability of financial reporting. Section 404 of SOX requires management to state its responsibility for\nestablishing and maintaining an adequate internal control structure and make an assertion on the effectiveness of the\ninternal control structure over financial reporting. The Postal Accountability and Enhancement Act (PAEA) of 2006\nmandates the Postal Service comply with Section 404 of SOX.\n\x0cPostal Service Sarbanes-Oxley Information Technology                        FT-AR-10-011\n Fiscal Year 2009 Preparatory Testing\n\n\n       Business SOX PMO coordinate more closely while developing risk mitigation\n       plans (RMPs) to learn which controls are not reliable and take other action.\n\n   \xef\x82\xa7   Management could improve the design, performance, and documentation of key\n       IT control tests for the FY 2010 SOX compliance efforts. During our observations\n       of operating effectiveness testing, we identified several areas for improvement.\n       For example, the test teams could improve how they document test results as\n       well as ensuring that testers are properly approved to use remote testing\n       techniques when appropriate.\n\nDuring discussions with the IT SOX PMO, management indicated that in FY 2010, the\ntesters would review compensating controls identified in the RMPs and assess whether\nresponsible parties tested the controls and determined them to be reliable. Further,\nmanagement generally agreed with our results relating to the internal testing of key\ncontrols. They provided information on the actions they have implemented as they\nexecute the FY 2010 testing cycle. Therefore, we are not making any recommendations\nat this time. However, we will continue to monitor these concerns in our FY 2010 SOX\ncompliance audit. See Appendix B for a detailed discussion of this issue.\n\nSince we did not make any recommendations in this report, management chose not to\nrespond formally to this report.\n\nWe appreciate the cooperation and courtesies provided by your staff. If you have any\nquestions or need additional information, please contact Lorie Nelson, director,\nFinancial Reporting, or me at (703) 248-2100.\n\n\n\n\nJohn E. Cihota\nDeputy Assistant Inspector General\n for Financial Accountability\n\nAttachments\n\ncc: Joseph Corbett\n    Vincent H. DeVito, Jr.\n    John T. Edgar\n    Sally K. Haring\n\n\n\n\n                                                  2\n\x0cPostal Service Sarbanes-Oxley Information Technology                          FT-AR-10-011\n Fiscal Year 2009 Preparatory Testing\n\n\n                            APPENDIX A: ADDITIONAL INFORMATION\n\nBACKGROUND\n\nThe United States Congress enacted SOX legislation in 2002 to strengthen public\nconfidence in the accuracy and reliability of financial reporting. The PAEA2 mandates\nthat the Postal Service comply with Section 404 of SOX. Section 404 requires\nmanagement to state its responsibility for establishing and maintaining an adequate\ninternal control structure and make an assertion on the effectiveness of the internal\ncontrol structure over financial reporting.\n\nThe Postal Service spent FY 2009 designing and formalizing a control structure for the\nbusiness processes that support Postal Service customers and partners, as well as IT\ncontrols to support processing operations. The IT SOX PMO performed operating\neffectiveness testing as a part of its responsibility to manage the design, development,\nand implementation of internal SOX master control standards for IT SOX compliance.\nThe IT SOX PMO designed the control tests \xe2\x80\x93 including those observed by the U.S.\nPostal Service Office of Inspector General (OIG) \xe2\x80\x93 to measure the effectiveness of IT\ncontrols supporting accurate and reliable financial data processing.\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe objective of our review was to determine how the Postal Service could improve its\napproach to testing key IT controls in preparation for compliance with provisions of the\nSOX Act of 2002. Our work included a review of the Postal Service\xe2\x80\x99s IT master controls\nand test instructions, an evaluation of all approved RMPs, an observation of control\ntests performed by Postal Service, and a review of final test documentation.\n\nAs of June 12, 2009, the Postal Service had approved eight RMPs documenting their\nstrategy for addressing IT control gaps. As of September 25, 2009, the Postal Service\nhad identified 248 IT master controls. Each master control could be applied a number of\ntimes across platforms, operating systems, applications, or databases in order to\ndetermine the number of associated detail controls. As a result, management estimated\nthat about 2,500 detail controls would need testing.\n\nWe included 44 of the 248 IT master controls in our review. We conducted observations\nof the Postal Service test teams and documentation reviews of test evidence, analyses,\nand conclusions prepared by the test teams for 31 of the controls. We used judgmental\nselection criteria, which we based on the timing of the tests and our desire to observe a\nvariety of controls. We also reviewed test documentation for 13 controls that we did not\n\n\n\n\n2\n    Public Law 109-435, signed on December 20, 2006.\n\n\n\n\n                                                       3\n\x0cPostal Service Sarbanes-Oxley Information Technology                                               FT-AR-10-011\n Fiscal Year 2009 Preparatory Testing\n\n\nobserve. Our review of all test documentation was limited to the information exported\nfrom the GRCm tracking software3 by the IT SOX PMO.4\n\nMembers of Postal Service test teams in Eagan, MN, Raleigh, NC, and a roving team\ncovering Postal Service Headquarters and various other processing locations performed\nthe IT control tests. The OIG observed at least 20 percent of the master control tests\neach team conducted by the target dates listed in the table below. We focused on\nproviding a range of coverage for the test of 248 master IT controls considered, rather\nthan the approximately 2,500 detail control tests.\n\n                    IT Control Tests Observed and/or Reviewed by OIG\n                            Number of      Percentage of     Date Postal\n              Postal\n                          Control Tests       Controls         Service\n              Service\n                           Observed by      Available for    Completed\n               Team\n                                OIG         Observation5       Testing\n           Eagan                       12                       52%                  9/11/2009\n           Raleigh                     10                       29%                  9/11/2009\n           Roving                       9                       30%                  9/25/2009\n              Subtotal              31\n                                 Number of              Percentage of\n            Sample              Control Tests             Controls                Test Data\n           Application          Reviewed by             Available for           Available As Of\n                                    OIG                    Review\n           TCSS                        136                      50%7                10/13/2009\n\n            Total tests\n            discussed                   44\n             in report\n\nThe control tests observed and test documentation reviewed by OIG covered about half\nof the IT systems and infrastructure components supporting the FY 2009 financial\nstatements.\n\nWe conducted this self-initiated review from March 2009 through February 2010 in\naccordance with generally accepted government auditing standards and included such\n\n3\n  Governance, Risk and Compliance Manager (GRCm) is the software the Postal Service uses to track and document\nits SOX testing of internal controls.\n4\n  The Postal Service has not completed development and testing of read-only access to GRCm, so the OIG was not\nable to independently identify and select data for review.\n5\n  We rounded percentages to the nearest whole number.\n6\n  Two of the 15 TCSS controls had already been included in the tests observed as part of the Eagan and roving test\nteams controls.\n7\n  This percentage represents 13 unduplicated controls of 26 total TCSS controls for which test data was available.\n\n\n\n\n                                                        4\n\x0cPostal Service Sarbanes-Oxley Information Technology                             FT-AR-10-011\n Fiscal Year 2009 Preparatory Testing\n\n\ntests of internal controls as we considered necessary under the circumstances. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our\naudit objective. We believe the evidence obtained provides a reasonable basis for our\nfindings and conclusions based on our audit objective. We discussed our observations\nand conclusions with management officials on January 26, 2010, and included their\ncomments where appropriate. We did not rely on computer-generated data to support\nthe opinions and conclusions presented in this report.\n\nPRIOR AUDIT COVERAGE\n\nThe OIG did not identify any prior audits or reviews related to the objective of this audit.\n\n\n\n\n                                                  5\n\x0cPostal Service Sarbanes-Oxley Information Technology                                                  FT-AR-10-011\n Fiscal Year 2009 Preparatory Testing\n\n\n                                APPENDIX B: DETAILED ANALYSIS\n\nReliance on Business Controls\n\nWe reviewed all eight RMPs management had approved as of June 12, 2009, and\nfound that compensating business controls that serve to mitigate IT risks in two RMPs\nmight be unreliable. The business controls cited in the two RMPs relied on the\neffectiveness of the revenue reconciliation process at Postal Service field offices.\nHowever, the OIG reported concerns regarding reconciliations in its FY 2009 capping\nreport of financial installation audits conducted at post offices, stations, and branches.8\n\nAccording to Section 404 of SOX, management must document, test, and report on the\noperating effectiveness of internal controls over financial reporting on an ongoing basis.\nThe Postal Service\xe2\x80\x99s IT SOX Handbook9 outlines Section 404 readiness activities to\ninclude testing the designated compensating controls for those IT SOX controls for\nwhich management has documented an RMP.\n\nWhen notified of these concerns, IT SOX management indicated they did not coordinate\nwith the Business SOX PMO when developing their risk mitigation plans. Targeted\ncoordination between the two groups would help both Business SOX PMO and IT SOX\nPMO management better identify and address compensating business controls prior to\nSOX testing. As a result, management would have a more comprehensive\nunderstanding of the actions needed to address potential gaps in risk mitigation and\ncontrol testing.\n\nThe two RMPs describe IT controls that are not in place for two applications due to the\nage, distribution, and costs associated with upgrading the technology used. Both RMPs\npoint to the same set of 13 business controls to mitigate risks associated with the\nmissing IT controls. Management described these business controls in Business\nProcess Narratives (BPNs) related to retail sales units and cash deposits.10 These\ncompensating controls relate to supervisory reviews and reconciliations over the\nfinancial reporting provided by field units. Specifically, field accounting procedures11\nrequire miscellaneous expenses to be issued to corresponding field units when\nexceptions are identified during reconciliations. Field accounting returns these\nexceptions to the field units for research and resolution. In FY 2009, the OIG found that\n56 of 105 field units sampled did not monitor or resolve differences as required by\nPostal Service policy. As a result, business controls designed to ensure accurate\nfinancial reporting do not adequately mitigate the risks associated with missing IT\nmaster controls for IRT and POS units.\n\n\n8\n  The OIG reported these issues in several capping reports, most recently in Fiscal Year 2009 Financial Installation\nAudits \xe2\x80\x93 Post Offices, Stations, and Branches (Report Number FF-AR-10-045, dated December 14, 2009).\n9\n  IT SOX Handbook, June 2009, current as of November 2009.\n10\n   BPN 102: ReSA \xe2\x80\x93 Retail Units, BPN 123: Cash Deposits \xe2\x80\x93 Bank of First Deposit/Wells Fargo, and BPN 124: Cash\nDeposits \xe2\x80\x93 Confirmed Deposits.\n11\n   Handbook F-101 Field Accounting Procedures, July 2008, with revisions through July 2009.\n\n\n\n\n                                                         6\n\x0cPostal Service Sarbanes-Oxley Information Technology                               FT-AR-10-011\n Fiscal Year 2009 Preparatory Testing\n\n\nSubsequent to our review of RMPs, the IT SOX PMO performed tests in October of the\nIT controls included in one of the RMP\xe2\x80\x99s discussed above and concluded that the IT\ncontrols failed. The record of testing documented exceptions with some of the\ncompensating business controls and identified other business controls the Business\nSOX PMO had not tested. In August, the IT SOX PMO also adjusted their approach to\ntesting database layer controls for field applications such as POS. As a result, they\ndetermined that the second RMP discussed above was no longer necessary. Finally,\nthe IT SOX PMO indicated that in FY 2010, testers will review compensating controls\nidentified in the RMPs and assess whether responsible parties tested the controls and\ndetermined them to be reliable.\n\nInternal Testing of Key IT Controls\n\nOur review of Postal Service\xe2\x80\x99s testing of selected key IT controls disclosed that 29 of\n4412 IT controls had issues concerning:\n\n       \xef\x82\xa7 The manner in which the tests were performed.\n\n       \xef\x82\xa7 The quality of the supporting documentation for the analyses performed.\n\n       \xef\x82\xa7 The design of the test instructions to address the control objective.\n\n       \xef\x82\xa7 The manner in which the test results were reflected in the GRCm tracking\n         software.\n\nThese issues were present in the work of each of the three Postal Service test teams,\nas well as in the documentation for a sample application.13 Specifically, for 19 controls,\nwe identified issues with the manner in which management performed the tests to\nassess the operating effectiveness of the control. For example, we observed the tester\nwas not present at the location for certain aspects of one control test. In this case, the\ntester used remote meeting software to oversee the commands executed by a Postal\nService staff member during the test. While this may be an acceptable practice under\ncertain conditions, it is difficult to ensure the individual responsible for assessing the\neffectiveness of the control adequately observes all aspects of the test. The IT SOX\nPMO indicated they intend to have testers present at control tests and will provide test\nteams with guidance in FY 2010 on the use of remote meeting software under\nappropriate conditions.\n\nWe also identified issues with 13 controls regarding the quality of documentation to\nsupport control tests. In one case, instructions for the inactivity timeout control test for\nUNIX workstations identified three different types of workstations to be reviewed. The\nsupporting test documentation did not provide a listing of the types of workstations\nincluded in the universe for sampling or in the test analysis. The screen shots we\n12\n     There were 248 IT master (key) controls as of the date of our review.\n13\n     Transportation Contract Support System (TCSS).\n\n\n\n\n                                                             7\n\x0cPostal Service Sarbanes-Oxley Information Technology                           FT-AR-10-011\n Fiscal Year 2009 Preparatory Testing\n\n\nobtained show at least two types of workstations were included in the test, but did not\ninclude screen shots related to the third type. The test documentation did not indicate if\nthe third type was used in Raleigh and should have been tested. We believe that under\nsimilar circumstances the sampling procedures should ensure at least one of each type\nof item described in a control be included in the sample selected for review. The IT SOX\nPMO indicated agreement with this concern. They also noted that management used\nalternative sampling methods in FY 2009 for readiness purposes, while they will use\nformal sampling methods in FY 2010 for assurance purposes.\n\nFor eight controls, we identified concerns with whether the test management performed\neffectively addressed the control objective. In one case, the control objective for patch\nmanagement stated that management should evaluate application-level software\npatches or releases for applicable commercial off-the-shelf packages at least\nsemiannually and implement them when appropriate. The control test documentation\nindicated that one of four patch reviews concluded with a recommendation to install the\npatch. However, the tester did not determine whether management took action on this\nrecommendation and, instead, focused only on patches that management implemented\ninto production in FY 2009. While our review of the patch assessment suggests the\npatch review progressed to the testing phase, it is unclear why the patch was not\ninstalled or whether information on the patch implementation was not loaded to the\nappropriate documentation library. We believe the testing approach should include\nconfirmation that management tested and moved to production the recommended\npatches, as appropriate. The IT SOX PMO agreed with this concern and indicated they\nhave enhanced the test design to include confirmation on whether management has\nimplemented a patch into production.\n\nFinally, we identified six controls with concerns related to how management applied the\noutcome of the tests to the sample application and/or how they recorded the tests in the\ntracking software. For one control, the test of password expirations disclosed that a\ntester confirmed the password expiration period for regular users at the time of the test\nwas 176 days, which exceeded the 90-day requirement. Since there was a plan in place\nto reduce the expiration period from 176 to 90 days by October 2009, the tester\nreported the test result as PASS even though he tested the control in July 2009. We\nbelieve the test results recorded in the tracking software should reflect the condition of\nthe control at the time of testing and not an expected future condition. In our discussions\nwith management, the IT SOX PMO disagreed, stating they determined the remediation\napproach, timeframe, and conclusion were proper in accordance with IT executive\nbriefing directives. While we do not dispute the reasonableness of the remediation\naction taken, we maintain that test results should reflect the condition of the control at\nthe time of testing. In this case, remediation was not complete and the control was not\nfunctioning as intended at the time testing occurred.\n\nThe IT SOX Handbook outlines Section 404 readiness activities such as operating\neffectiveness testing and remediation. It provides guidance on performing tests at IT\norganizations, assigning staff to perform control testing, developing and implementing\n\n\n\n\n                                                  8\n\x0cPostal Service Sarbanes-Oxley Information Technology                           FT-AR-10-011\n Fiscal Year 2009 Preparatory Testing\n\n\nremediation action plans, and incorporating all relevant analyses in the overall\naggregation of results.\n\nManagement did not intend the FY 2009 testing documentation to substitute for formal\nassurance. Instead, management, in some cases, performed testing to allow for\nexploration and process validation in anticipation of FY 2010 SOX compliance efforts.\nNevertheless, while we understand the differences between management\xe2\x80\x99s testing\napproach in FY 2009 and their approach for FY 2010, management should continue to\nfocus on ensuring the adequacy of testing methods and related documentation are in\norder for FY 2010 to determine reliably the operating effectiveness of internal controls\nover financial reporting.\n\nDuring preliminary discussions with the IT SOX PMO, OIG provided a detailed listing of\nthe 44 key controls included in our review and the corresponding issues identified. The\nIT SOX PMO provided comments on the areas of concern. Whether by direct\nagreement from the IT SOX PMO or through knowledge of changes in the Postal\nService\xe2\x80\x99s approach for IT testing in FY 2010, we believe we have reached general\nagreement with the Postal Service regarding these concerns.\n\n\n\n\n                                                  9\n\x0c'